The software, still used by Google but now known as Single Sign-On, has been discussed publicly only once, four years ago at a conference, the report said.

Gmail users’ passwords do not appear to have been lost, but there is a small possibility that attackers with access to the stolen software could find vulnerabilities in it that Google itself does not know about, the report said.

Google spokesman Jay Nancarrow declined to comment beyond Google’s original blog post revealing the attacks. In that post, Google cited the attacks and concerns over censorship as it also announced plans to stop filtering search results on its China-based search engine, which it had done for years to comply with government demands. Chinese users are now redirected from the old search engine to Google’s Hong Kong site, where political content is uncensored.

Google has said over 20 other companies were also targeted in the attacks.

The theft from Google started when an employee in China clicked on a link to an infected site, which was sent to the employee via instant message, the Times said. The attacker was then able to access the employee’s computer and, eventually, a software base used by developers at Google’s California headquarters, the report said.

The attackers also had access to an internal Google directory called Moma that stores information about each employee’s work tasks, it said.